Re: "Fix" of sudo with DSA-946-1

To: debian-security@lists.debian.org
Subject: Re: "Fix" of sudo with DSA-946-1
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sun, 29 Jan 2006 13:13:47 +0100
Message-id: <[🔎] slrndtpcbr.9hs.jmm@inutil.org>
References: <[🔎] 43DBC8F5.2080006@macfreek.nl>

Freek Dijkstra wrote:
> The correct action in this case, IMHO, should have been to apply the 
> patch (of course!), but also add a postinst script, which gives a BIG 
> warning telling people that they need to change /etc/sudoers
> The postinst script by kernel-image-* packages are examples of how it 
> should have done. I sincerely hope that we will shortly see a 
> sudo_1.6.8p7-1.4 which has such a warning.

This big warning is the DSA advisory. If you install security updates
you have to read it, there's no way around it.

> I also recommend to that a look at bug #349129:
> "The new behaviour regarding env sanitising is not reflected in the 
> sudoers or the sudo manpages and there is no news.debian file in the 
> sarge package; one must read the security announcement very precisely
> to find out how to deal with the change."

If someone wants to prepare a more elaborate explanation of what needs
to be done to white list env vars and the possible caveats, please send
it to team@security.debian.org and we could send it out as 946-2, that
would be better than people reverting their installations to the vulnerable
1.2 version.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: "Fix" of sudo with DSA-946-1
  - From: Matt Palmer <mpalmer@debian.org>

References:
- "Fix" of sudo with DSA-946-1
  - From: Freek Dijkstra <public@macfreek.nl>

Prev by Date: Re: "Fix" of sudo with DSA-946-1
Next by Date: Re: [SECURITY] [DSA 952-1] New libapache-auth-ldap packages fix arbitrary code execution
Previous by thread: Re: "Fix" of sudo with DSA-946-1
Next by thread: Re: "Fix" of sudo with DSA-946-1
Index(es):
- Date
- Thread